Introducing the role of Data Protection Officer
by Mandy Webster (comments: 0)
From May 2018 the General Data Protection Regulation (“GDPR”) will apply to all UK based organisations. One of the key changes to data protection law is the introduction of a requirement to appoint a Data Protection Officer where the core activities of the controller or processor consist of processing on a large scale of special categories of data which we know as “sensitive” data under the Data Protection Act 1998.
A designated Data Protection Officer is also required for all public authorities and public bodies and for organisations where personal data processing operations by their nature, their scope and purposes require regular and systematic monitoring of data subjects on a large scale. Organisations other than those targeted may choose to make a voluntary appointment of a designated Data Protection Officer.
The attributes of a Data Protection Officer
The Data Protection Officer should report directly to the highest management level of the organisation. The person designated must have professional qualities and in particular expert knowledge of data protection law and practice.
The Data Protection Officer may be a staff member or fulfil the tasks on the basis of a service contract but the organisation must ensure that conflicts of interest are avoided. This may present a difficulty if the Data Protection Officer is an employee with other tasks to perform especially if those tasks include handling personal data.
The organisation must ensure that the Data Protection Officer role is adequately resourced including providing appropriate training to maintain their expert knowledge. The Data Protection Officer should not be given instructions in relation to the prescribed tasks and must not be dismissed or penalised by the controller or processor for performing those tasks.
Publicity and accessibility
The organisation is required to publish the contact details of the data protection officer and communicate them to the supervisory authority (the Information Commissioner’s Office in the UK).
The Data Protection Officer is the point of contact for data subjects who have issues regarding how their personal data is processed and those who want to exercise their rights under the GDPR. The supervisory authority will also channel communication with the organisation via the designated Data Protection Officer.
Tasks of the DPO
The tasks set out as a minimum in the GDPR are as follows:
- to inform and advise the organisation and its employees whose role involves handling personal data of their obligations under the GDPR and other data protection laws
- to monitor compliance with the GDPR and other data protection laws and with the policies of the organisation in relation to the protection of personal data including assignment of responsibilities, awareness raising and staff training and related audits
- to provide advice on Data Protection Impact Assessments and
- to cooperate with the supervisory authority and act as contact point for the supervisory authority on data protection issues.
The Data Protection Officer is to adopt a risk management approach based on the nature, scope, context and purposes of the processing. A duty of confidentiality shall apply in relation to the role.
Issues to consider
From 2018 many organisations will be under a duty to appoint a Data Protection Officer to oversee data protection compliance. The person appointed will need to be appropriately qualified and experienced. The process of identifying and training an appropriate individual should commence as soon as possible and bear in mind that appropriate candidates may be scarce as many organisations will be in the market for the same talent. Consideration should also be given to succession planning in what will be a key role. It will be doubtless be assume that some Company Secretaries will automatically take on the role but is it a role for the Company Secretary?
A key principle of the new Regulation is Accountability and the usual compliance position applies: “if it is not documented it does not exist.” Consideration of how data protection compliance is managed will provide a framework and help to highlight record keeping requirements.
Having a compliance framework will both support the Data Protection Officer and provide consistency through personnel changes. A framework could be used to train up several members of staff to carry out data protection monitoring functions and report on them. It will also help to evidence Accountability and provide an audit trail.
And if we get it wrong…..?
It is serious stuff. An organisation which either intentionally or negligently fails to designate a Data Protection Officer or does not ensure the conditions for fulfilling the DPO tasks are open to an administrative fine of up to 10,000,000 euros or 2% annual worldwide turnover whichever is greater.